How do you carry out a data protection risk assessment?

Personal data processing operations that could entail high risks for the rights and freedoms of data subjects require a risk assessment.
What is a risk assessment? And how do you go about it?

If you have identified personal data processing operations that could pose a high risk to the rights and freedoms of data subjects, you will need to carry out what is known as a data protection risk assessment.

In fact, you need to carry out this assessment for all these treatments.

What is a Data Protection Impact Assessment?

A Data Protection Impact Assessment (DPIA) is a data protection impact analysis that enables you to design your data processing operations in a privacy-friendly way. It is an analysis that enables you to demonstrate the compliance of your GDPR processing operations.

In addition, the Data Protection Impact Assessment (DPIA ) is a privacy impact assessment tool based on two main pillars:

1. Privacy risk management : this enables you to implement technical measures to protect personal data.
2. Fundamental principles and rights: these are non-negotiable principles and rights laid down by law. It is forbidden to modulate risks, regardless of their nature, severity or probability.

Here's what an AIPD contains:

     - A description of the processing operation and its purpose.

     - An assessment of the necessity and proportionality of the processing operations with regard to the purposes for which they are to be carried out.

     - An assessment of the risks to the rights and freedoms of the people concerned, and the measures envisaged to address these risks.

When do I have to conduct an AIPD?

The Personal Data Protection Impact Assessment is considered to be good practice, given that it allows you to ensure that all the processing you do is GDPR. Processings that may, of course, be likely or unlikely to have a high risk on the privacy of data subjects.

It is advisable to carry out a DPIA even before implementing a treatment. Analyses should be reviewed and corrected on a regular basis, especially after major changes in treatment methods.

Furthermore, according to Article 35 of the GDPR, it is imperative to carry out a Personal Data Protection Impact Assessment for any processing likely to have risks for the rights of data subjects as well as their privacy. The CNIL (National Commission for Information Technology and Civil Liberties) has identified 9 criteria in the G29 guidelines to determine whether your processing could potentially have such risks:

1. Evaluation or rating;
2. Automated decision with significant legal or similar effect;
3. Systematic monitoring ;
4. Sensitive or highly personal data;
5. Personal data processed on a large scale ;
6. Cross-referencing data sets ;
7. Data concerning vulnerable persons ;
8. Innovative use or application of new technological or organizational solutions;
9. Exclusion from a right, service or contract.

If you identify at least 2 of these criteria in one of your processes, the CNIL (National Commission for Information Technology and Civil Liberties) recommends that you carry out an AIPD.

The players involved in carrying out an AIPD

• The data controller: as the data controller, you must validate the AIPD and commit to implementing the action plan defined in the AIPD.
• The Data Protection Officer: is responsible for drawing up the action plan and checking that it is implemented.
• The processor : must provide the various information required to complete the AIPD.
• Data subjects: must give their opinions on the processing as they are concerned.

Tools from the CNIL (National Commission for Information Technology and Civil Liberties) to help you

The CNIL (National Commission for Information Technology and Civil Liberties) has published a catalog of best practices which will certainly help you to carry out a DPIA and identify which of your processing operations are likely to pose a risk to the protection of the rights and freedoms of the persons concerned.

Among these tools, you'll find a Beta version of the PIA software.

A software program that makes it easier to formalize this analysis.